UltraSurf analysis by Zhang Lei (in Chinese)

UltraSurf 20090101

UltraSurf

Research and Analysis of UltraSurf Software by Reverse Engineering

ABSTRACT

UltraSurf is a well-know client application on the Internet. With the help of its private communication protocols and remoting servers as agents, it can be used to penetrate through the network control available, so as to make it accessible to remote information. This thesis analyzes the UltraSurf (version 8.8) by using tools, such as Ollydbg, Ethereal and Iptables. The main method includes White Box and Black Box of the software reverse engineering. The analysis concentrated on the working process, methods and algorithms of encryption and decryption, Internet connection of the software, and the analysis result includes the working principle of the software, the way to encrypt the communication between the machine and the proxy servers, and dynamic methods to get the IP address of the proxy servers.IV

UltraSurf

From the analysis result, a scheme to control the behavior of the UltraSurf was set up. We validate it by deploying the system in the lab network environment. The rest result of the current control system indicates that the current control system could make the users in the test environment unable to use UltraSurf, but browse other websites as usual. We also summarize the characteristics of this kind of software and raise a general analytical method based on the analysis of UltraSurf.

KEY WORDS:Network Monitoring, Disassembly, Secure Proxy

V

UltraSurf

57

UltraSurf

1.1 21 -

FreeGate Garden

IE

UltraSurf

-

-

1.2 90 DNS IP - 2002 / / UltraSurf 1

IP

-

UltraSurf

-

- -

1.3

1.3.1 UltraSurf 1 2 3 4 -

UltraSurf UltraSurf

1.3.2 1 - ,

EXE DLL

2

UltraSurf

,-

2 3

UltraSurf -

4

-

UltraSurf IP -

IP IP 5 1.3.3 1 - - - -

- - - 2 - - 3

UltraSurf

-

-

-

3

-

1.4

UltraSurf8.8 ( UltraSurf) - UltraSurf -

4

UltraSurf

2.1 PE PE (Portable Executable File Format) VAX/VMS COFF Windows EXE DLL PE EXE DLL [3] PE 2-1 PE DOS 1 2 MS-DOS exe dll

PE

n

[3 ] 2-1 PE Fig.2-1 PE File Structure DOS MZ HEADER DOS 5

DOS

MZ HEADER DOS STUB

UltraSurf

PE

DOS

PE HEADER PE IMAGE_NT_HEADERS PE PE PE DOS MZ HEADER PE HEADER SECTION

PE HEADER

PE

/ / -

PE

SECTION TABLE

PE HEADER

PE DOS MZ HEADER PE PE

PE HEADER PE HEADER

PE HEADER

PE PE HEADER AddressOfEntryPoint RVA

2.2

2.2.1 EXE DLL

-

- - 2-2

6

UltraSurf

-

- exe

- exe

EXE -

2-2

[3]

Fig. 2-2 Execute Process of Shell

ASPack UPX PECompact

ASProtect tElock

2.2.2

1 PEiD 400 2-1 FileInfo PEiD Gtw PEiD

7

UltraSurf

2-1

[1]

UPX ASPack Petite PECompact Neolite PE-PACK ASProtect

UPX upx d FS ProcDump AspackDie CASPR un-ASPack DeASPack Anti-ASPack ProcDump Unpetite ProcDump PeunCompact tNO-Peunc UnPECompact ProcDump Neolite ProcDump DePEPACK UnPEPack ProcDump AsprStripperXP CASPR Asprotect Deprotector Anti Aspr

2

[2] -

OEP

PE

1 PE AddressOfEntryPoint DWORD -

--

D.boy AsprLoader PE-

JMP TRW2000

Scan IceDump 2

- TRW2000 OEP 3 IAT() API Windows IAT IAT - 8

-

ImportREC Revirgin

UltraSurf

2.3 Reverse Engineering

-

: [5][6][7]-

-

IDA Pro W32dasm OllyDbg IDA w32dasm OllyDbg API

[14][19]

2.3.1

[4][21]

0 1

--

9

UltraSurf

2.3.2 Windows Windows 16 Dos windows API MFC PE

VCL [17]

Windows

Windows

[13][15]

OllyDbg OllyMachine

OS OllyDbg 1.10

10

UltraSurf

UltraSurf

3.1 UltraSurf

3.1.1 UltraSurf

UltraSurf UltraReach Internet Corp. - UltraSurf

3.1.2 UltraSurf UltraSurf 3-1 - 3

4

IE

http://www.ultrareach.net/wujie.htm ( 3-2 UltraSurf )

3-1 UltraSurf Fig. 3-1 Start-up of UltraSurf11

UltraSurf

3-2

UltraSurf

Fig . 3-2 Homepage of UltraSurf

3-3 ,20 IE

3-3 UltraSurf Fig. 3-3 warning of UltraSurf when exit IE http://www.ultrareach.net/wujie.htm IE DNS windows cmd nslookup ( IP ) http://www.ultrareach.net/wujie.htm IP

3.1.3 UltraSurf UltraSurf 12

UltraSurf

-

UltraSurf

Google

http://127.0.0.1:9666/

UltraSurf 9666

Cookie HTTP

3.2 UltraSurf 3.2.1 UltraSurf PEiD UltraSurf 3-3 .13

UltraSurf

3-3 Fig

UltraSurf

. 3-3 The Information of UltraSurf

UPX

UPX

3.2.2

Windows

Windows API 9666 UltraSurf 3-4

UltraSurf IE http://127.0.0.1:9666 IE

Internet

14

UltraSurf

3-4

UltraSurf

hange d LAN Setting

Fig. 3-4 The C

UltraSurf

UltraSurf cookie

3.2.3 Win 32

-

-

UltraSurf UPX - 106K UPX upx -d u88c.exe PEiD VC++ 6.0 3 5 15

UPX

UPX

UltraSurf

3-5 UltraSurf Fig . 3-5 The Information of Unpacked UltraSurf

UltraSurf

3.3 UltraSurf

3.3.1 OllyDbg 1 OllyDbg [10] OllyDbg 1.10 ZIP OllyDbg.exe 3-6 1 HEX

OllyDbg.exe RAR

OllyDbg

-> 2 CPU EAX EBX ECX EDX16

UltraSurf

ESP EBP 3

ESI

EDI EIP

4 5

3-6 OllyDbg Fig. 3-6 The Debugging Window of OllyDbg 2 OllyDbg OllyDbg -> ->

17

UltraSurf

-

F2 F8 F7 F4 F9

F2

F2

(F8) CALL

CALL

CTR+F9 ret () ALT+F9

18

UltraSurf

3.3.2

3-7 Fig. 3-7 Character String Information - OllyDbg

3-7 IP 3.3.3 0x400000

19

UltraSurf

F8

CALL CALL CALL

UltraSurf exit

GetStartupInfo GetModuleHandle - MSDN

exit F2

F7

F9 0x400000[12]

0x400000 DLL

MFC

MFC42.dll USER32.dll JMP CALL

- OllyDbg

USER32,KERNEL32 DLL

3.3.4 MFC 004173F6|. E8 43000000 CALL

MFC MFC Windows MFC Windows API Windows C++ UltraSurf MFC

20

UltraSurf

MFC Windows API

Windows API [9]

MFC

MFC AfxWinMain 0040538E MSDN .E8 MFC42.dll CF190100 CALL

; // MFC - MFC - UltraSurf MFC DoMal() 3-8 MFC 73D3CF6D 73D3CF71 004050D4 EAX [11][20][22]

UltraSurf

EAX 58

3-8 MFC

From MFC

Fig . 3-8 Return

3.3.5

AfxBeginThread UI

AfxBeginThread MSDN AfxBeginThread worker

21

UltraSurf

UltraSurf 9 worker AfxBeginThread 1 UI AfxBeginThread UI worker 9 - A: B: UDP C: D: E: F: 443 G: H: I:

3.3.6 UltraSurf 8 Filemon fopen,fwrite,fread,fseek,ftell

-

ASCII "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\" " ADMINI~1 " C:\Document and Settings\\Locals and Settings\Temp 22

Filemon

UltraSurf

8

-

-

-

OllyDbg 00405C31 00405C36 00405C3B 00405C40 00405C45 CALL fopen CALL CALL GetTempPath EBX CALL ASCII C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ CALL - CALL GetVolumeInformation C:\Windows C:\Windows GetWindowsDirectory GetVolumeInformation MSDN vol GetWindowsDirectory Windows ->->cmd ( 3-9 ) ALL EAX C C05F0611 vol C fopen CALL u.0040CF1A CALL u.0040D166 CALL u.0040CD8E CALL u.0040D04C CALL u.0040D2A6 fopen . E8 E4720000 . E8 2B750000 . E8 4E710000 . E8 07740000 . E8 5C760000 fopen,fread,ftell,fwrite

GetVolumeInforation

23

UltraSurf

3-9

vol vol

Fig. 3-9 Get Disk serial by

windows

C++ CALL CALL 1 8 2 ADD,DIV,SHR,XOR

3 strcat - 2

CALL 0

CALL CALL

24

UltraSurf

UltraSurf 3 3 -

3

1 2 1 2

1 2

1 2

2 8

2)

RegOpenKey,RegQueryValue,RegCloseKey. \HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings IE 127.0.0.1 UltraSurf IE IE

25

UltraSurf

UltraSurf

IE cookie UltraSurf Windows 3) UltraSurf UltraSurf 3 -

0 04000000 3 IP IP

ASCII IP IP 5-8 40 IP IP IP IP 0000

040000 3 IP 4-

3.5.2 C++ 9 3

DNS IP IP

IP

26

UltraSurf

3.3.7 UltraSurf 1) UltraSurf - IP

Etheral Outpost Etheral 3 TCP SSL - IP 3 TCP SSL Outpost IP 3 IP IP 3 3 DNS DNS IP ns2.d79872fb4.net IP DNS IP IP IP IP 3

TCP SSL 3

DNS IP DNS

IP

DNS IP

3 DNS IP

DNS

1 2 27

UltraSurf

1 2

IP IP IP 1 2 IP

- 1 2

1 2 2)DNS

1 2 UltraSurf

UltraSurf DNS IP DNS DNS ql.1y.~{z(,*{1qzk - 3 40 May-21-13:50:05 | 929453: Send IDURL Query ns1.062efa01c.net to node 71.229.238.191. IP IP IP DNS IP UltraSurf DNS Etheral DNS 3 3 IP DNS DNS DNS UltraSurf DNS -- ns1.flade735d.net DNS ns1.flade735d.net DNS DNS

28

UltraSurf

3 3 IP

Outpost

Outpost

3 IP 3 IP 3 -> DNS

DNS

IP - DNS IP

3 IP

DNS IP IP IP

IP IP DNS IP IP IP IP IP IP Outpost

DNS UltraSurf UltraSurf IP IE IE ->

3)IE

-

IE IE 127.0.0.1:9666

- > LAN UltraSurf setInternetOption 127.0.0.1:9666

IE IE

4) 13 13 13 11 11

29

UltraSurf

rand()

srand()

0 0x20

CreateFile MSDN

DeviceIOControl API

API

API UltraSurf CreateFile, DeviceIOControl 3.5.6 IP UltraSurf

3.4 UltraSurf -UltraSurf -

30

UltraSurf

3.4.1 UltraSurf 3-10 UltraSurf IP

IE

127.0. 0.1:96 66

Ul tra Su rf

Ul tra Su rf

3-10 UltraSurf Web Fig. 3-10 Browse web through UltraSurf UltraSurf - 3.4.2 UltraSurf IP 3-10 UltraSurf 4 IP 1) IP 3.5.1 2) DNS 31

IP IP

UltraSurf

DNS IP DNS

DNS

:ns1.flade753d.net

DNS DNS IP IP IP IP 3) gdoc Google doc google doc HTTP 1-8 13 20

https://docs.google.com/View?docid=dd4gbd38_6c8fpk2 DNS http://docs.google.com

IP [8]

4) : IP IP IP 5 IP: 211.74.78.17 66.245.217.9 66.245.217.227 66.245.196.247 118.168.50.105 UltraSurf (1) (3) (1),(2),(3)(4) 3-11

(2)

32

UltraSurf

3-11 UltraSurf

Fig. 3-11 working process of UltraSurf 3-11

DNS 40

DNS IP 351

IP

IE 127.0.0.1:9666

DNS ns1.f1ade735d.net UDP

IP 40 DNS IP

DNS DNS

IP - IP,33

DNS

UltraSurf

IP IP , IP UltraSurf UltraSurf IP IP

3-11 IP IP IP -

DNS ,gdoc IP DNS IP IP

- IP IP IP 3.4.3 UltraSurf UltraSurf UltraSurf 1 1) UltraSurf 3 3.3.6 2 UltraSurf 2

1 2) 3) 4) 5) 6) 7) 8) 9) 10) IE 1

DNS UltraSurf

127.0.0.1:9666 TCP

2 IP

127.0.0.1:9666 IP

3 3 IP 3 (15) UDP DNS 10

3 IP TCP DNS

34

UltraSurf

IP

11) 12) 13) 14) 15) 16) 17)

IP IP IP IP IP (15) (15) URL,

IP , 443 IP IP 3 1 2

IE

3.5 UltraSurf UltraSurf 1) 2) 3) DNS 4) RC4 5) 6 UltraSurf

3.5.1 UltraSurf UltraSurf 8 4 8 9 35

2 3 2

UltraSurf

1

2 8

9

4

UltraSurf IE C vol [i] C

F( A B) = C C G C i 0 7

D[i], 8 D[i] para 32 vol 32 num

char 6

file_name 1 2 3 4 5 6 7 para vol vol = vol ^ 2 4 8

char 8 9

API C para * 32

vol = vol ^ 0x801 vol = vol + para vol file_name[0] 0x41 0x7E

vol / 2 26 8 9

num vol i vol num 0x61 vol 26

[i - 1]

26

0x61

36

UltraSurf

3.5.2 UltraSurf UltraSurf IP 3 UltraSurf 8 DNS IP

8

8

F([i], [j]) = t, t t 1 2 3 0xFABEBABE - 8

8

4) 3 8 5) 0x3F6CB254 0xAE985D36 6) 0 0x78B4FEAE 0 : - 0x3DCF578A

7) - 7.1) index 0 7.2) index

7.3) - counter

table_[index] ^= (counter / 16) | ((counter / 16) * 16) ; 7.4) - counter - - 37

UltraSurf

plain_[counter] = table_[index] ^ cipher_[counter]; 7.5 7.6 7.2 8 - index index = (cipher_[counter] % 7) ^ index;

3.5.3 UltraSurf NS D 0x00 32 0 ASCII 3.5.4 UltraSurf 32

32 1F

2008-05-05 18:40:00,send UDP query to 58.9.3.4, - RC4 RC4 256 - UltraSurf 256 00-FF

-

38

UltraSurf

3.5.5 UltraSurf UltraSurf 443 8 6

14

8 6 1 2 2 3

malloc -

- 1 3 1

2

1 2 3 4 5 6 7 8 9 10 11 12 -

1

- 1 1 1 1 2 2 -

- 3 2 3 7 9 1 1 1 1

10

8 6 -

3.5.6 UltraSurf UltraSurf 13

39

UltraSurf

08 01 11 rand

1 2 3 4 CreateFile

mac WD-WMAM9DZ12046" WD

DeviceIOControl

SMART_RCV_DRIVE_DATA -

netbios 10 0A+"

0x1E 10 3 WMAM9DZ12046" ),ECX( 0xF8C9) 5 EDI EAX*ECX+EDI ECX=ECX*0x5C6B7, - EAX 8 EAX 11 EAX UltraSurf UltraSurf 20 " EAX( 0 0xF8C9

ESI 0

EDI

3.6 UltraSurf - (1) - UltraSurf Visual C++ 6.0

40

UltraSurf

(2) - UltraSurf UPX (3) - (4) - - (5) DNS IP - IP (6) IP URL - IP URL DNS (7) - (8) UltraSurf DNS DNS UltraSurf Winsock2 API TCP UDP UltraSurf MFC Windows UltraSurf

41

UltraSurf

4.1 ltraSurf U IP 4.1.1 4 1

4 1 Fig. 4-1 The Flow Chart of Encrypting-Agent Technology

42

UltraSurf

4.1.2

-

4-2 Fig. 4-2 The Flow Chart of Software Analysis43

UltraSurf

4-2

-

IP

4.2 - IP [16]

1

IP IP 90 IP IP

IP IP 2

IP

2002

ACK-FIN

IDS

[18]

5-15 IP IP

44

UltraSurf

3

IP

IP

IP IP IP

4.3 UltraSurf DNS IP DNS IP - UltraSurf DNS IP

IP

UltraSurf DNS

DNS

UltraSurf

DNS

DNS IP UltraSurf 1 2 3 IP IP DNS IP IP URL

45

UltraSurf

4.4 4.3 4-3

4-3 Fig. 4- 3 Network Topology PC Fedora 6 Linux

Linux

Linux iptables

IP URL IP Linux

IP

UltraSurf IP UltraSurf

IP

46

UltraSurf

IP

UltraSurf IP iptables

IP

IP

4.4.1 1 UltraSurf 2 UltraSurf IP IP

www.yahoo.com spaces.msn.com www.qxbbs.org www.dajiyuan.com cn.profiles.yahoo.com spaces.live.com www.msn.com flikcr.com

47

UltraSurf

4.4.2 UltraSurf

4-1 4-2 4-1 UltraSurf / / 4-2 UltraSurf

4.4.3 P I UltraSurf IP 4512

6000 IP IP

IP

4-3 4-3 IP 1360 442 103 22 12

6

48

UltraSurf

UltraSurf IP UltraSurf 1 2 3 IP -

49

UltraSurf

[1] ,

2003 2004 2006 A taxonomy

[2] , [3] , [4]

- 7(1)

[] 2001

[5] E Chikofsky, J Cross IEEE Software, 1990

Reverse engineering and design recovery

[6] Hassan, A.E., Holt, R.C. The small world of software reverse engineering, Reverse Engineering, 2004.Proceedings. 11th Working Conference on 8-12, 2004.11. [7] Rainer Koschke. Software Visualization for Reverse Engineering, Lecture Notes in Computer Science. Volume 2269, 2002. [8] Andritsos, P., Miller, R.J. Reverse engineering meets data analysis, Program Comprehension, 2001. IWPC 2001. Proceedings. 9th International Workshop on1213, 2001.05. [9] Moise, D.L., Wong, K., Sun, D. Integrating a reverse engineering tool with Microsoft Visual Studio .NET Software Maintenance and Reengineering, CSMR 2004. Proceedings, 2004. [10] Kris Kaspersky, Hacker disassembling uncovered, 2004 [11] Kip R. Irvine [12] 2003 [14] 2004.6 [15] , , [16] 2003.550

Assembly language for intel-based computers

2004 Windows 32

2006 Vol.2 No.2 .

[13] , ,

, ,

2001.

VPN

UltraSurf

[17] ,, 2004.4 [18]

Vol.14 No.4

- 2000.1

[]

[19]

Vol.36 No.8 1999.8 [20] Vol.20 No.4 2000.12 [21] 80X86 1999 [22] 2003.7 40 7

51

Documents

UltraSurf analysis by Zhang Lei (in Chinese)